Bug 1342401
| Summary: | Allow NetworkManager to create temporary /etc/resolv.conf.XXXXXX file | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Thomas Haller <thaller> |
| Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Milos Malik <mmalik> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 7.3 | CC: | jneedle, jsefler, jstancek, lvrabec, mmalik, petergre, plautrba, psklenar, pvrabec, ssekidde, thaller |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | Flags: | thaller:
needinfo-
|
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-3.13.1-80.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-13 15:04:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1337222 | ||
Thomas, Is this feature also in Fedora? (In reply to Lukas Vrabec from comment #2) > Thomas, > Is this feature also in Fedora? yes. Fedora 24+ and rhel-7.3 both have NetworkManager 1.2.0+. The behavior from comment 1 is necessary with "rc-manager=file" configuration setting. In this case, NM now wants to create temporary file /etc/resolv.conf.XXXXXX (instead of /etc/resolv.conf.tmp). rc-manager=file will be the default on rhel-7.3, but not on Fedora. There is another, new mode: rc-manager=symlink. This is the default on Fedora 24+. I think, the policy should allow for both ways (rc-manager=file|symlink) on both Fedora and RHEL -- even if the default differs between them. Another thing... with rc-manager=symlink, NM wants to create a temporary symlink "/etc/.resolv.conf.NetworkManager" and renames that over to /etc/resolv.conf. The policy should allow for that too. Strangely enough, this already works for me on Fedora 23, so I guess there is already a policy change to allow that. Could you please confirm that this is allowed too? The requested permissions seem to have already been present in the current version as a result of other implemented changes, hence closing CURRENTRELEASE. |
before version 1.2.0, up to rhel-7.2, NetworkManager would rewrite /etc/resolv.conf by first writing to a temporary file /etc/resolv.conf.tmp, which then gets renamed. Now, NetworkManager uses g_file_set_contents(), which first creates a file like /etc/resolv.conf.LQ18HY, which then gets renamed. (the pattern here is: "/etc/resolv.conf.XXXXXX") that fails currently with: Jun 03 09:56:44 x250 audit[1308]: AVC avc: denied { rename } for pid=1308 comm="NetworkManager" name="resolv.conf.IU9HIY" dev="dm-2" ino=9702046 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system _u:object_r:etc_t:s0 tclass=file permissive=1 Is it possible to allow NetworkManager to write to any .XXXXXX file? Note, that this needs additional caution, because how it was previously, also resolv.conf.tmp got labeled as unconfined_u:object_r:net_conf_t:s0. Thus, also the default label for resolv.conf.XXXXXX must be updated.